Bug 3403 - Rule for detecting encoded IP addresses.
Summary: Rule for detecting encoded IP addresses.
Status: RESOLVED FIXED
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: Rules (show other bugs)
Version: SVN Trunk (Latest Devel Version)
Hardware: Other other
: P5 normal
Target Milestone: 3.1.0
Assignee: SpamAssassin Developer Mailing List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-05-17 03:11 UTC by Jesse Houwing
Modified: 2004-05-20 02:56 UTC (History)
0 users


Attachment Type Modified Status Actions Submitter/CLA Status
Rule text/plain None Jesse Houwing [HasCLA]
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jesse Houwing 2004-05-17 03:11:42 UTC 
I've written a rule to catch any form of IP address obfuscation mentioned here:

http://www.pc-help.org/obscure.htm

This rule will catch:

- DWord, Hex, Octal encoded IP addresses
- possibly %hex encoded versions of the above
- mix & match of the above

I ran it against a couple of corpora and it's currently only hitting Spam.

The rule is currently part of a SARE ruleset which can be found here:
http://www.rulesemporium.com/rules/72_sare_redirect_post3.0.0.cf
Comment 1 Jesse Houwing 2004-05-17 03:12:24 UTC 
Created attachment 1961 [details]
Rule

Rule attached.
Comment 2 Daniel Quinlan 2004-05-18 01:52:11 UTC 
Does this catch a lot of spam for you?  It seems to hit very little
mail for me, I'll try a rawbody version as well.

Added to SVN for testing, closing as fixed.
Comment 3 Jesse Houwing 2004-05-18 02:54:58 UTC 
It catches about 124 mails from 8000 on my corpus, but more on the corpus of
others. It was written in response to discussion on the SA-users list about
these kinds of IP obfuscations.
Comment 4 Daniel Quinlan 2004-05-20 10:56:11 UTC 
rule didn't work so well, so dropping it:

  0.015   0.0165   0.0025    0.870   0.49    0.01  T_HEXOCTDWORD_U
  0.015   0.0157   0.0049    0.760   0.49    0.01  T_HEXOCTDWORD_R

Only 0.016% of spam and relatively (relative to the spam hits) high FP rate.